From: Richard Weinberger Date: Fri, 2 Aug 2024 10:08:44 +0000 (+0200) Subject: dlmalloc: Fix integer overflow in request2size() X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=8642b2178d2c4002c99a0b69a845a48f2ae2706f;p=u-boot.git dlmalloc: Fix integer overflow in request2size() req is of type size_t, casting it to long opens the door for an integer overflow. Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX cause and overflow such that request2size() returns MINSIZE. Fix by removing the cast. The origin of the cast is unclear, it's in u-boot and ppcboot since ever and predates the CVS history. Doug Lea's original dlmalloc implementation also doesn't have it. Signed-off-by: Richard Weinberger Reviewed-by: Simon Glass --- diff --git a/common/dlmalloc.c b/common/dlmalloc.c index 1e1602a24d..48e83da6cb 100644 --- a/common/dlmalloc.c +++ b/common/dlmalloc.c @@ -386,8 +386,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* pad request bytes into a usable size */ #define request2size(req) \ - (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ - (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ + (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) /* Check if m has acceptable alignment */